The Reverse Engineering Language REILand its applications

Sebastian Porst (sebastian.porst@zynamics.com)zynamics GmbH

I write code for

... sometimes I debug other people‘s code

We love graphsWe love static analysis

We want to improve binary code RE

Reverse Engineering Intermediate Language

Three Good Reasons for REIL

Simple

Free of side-effects

Platform-Independent

988

1000+

17

PowerPC x86

Fewer Instructions

REIL

X86 Code PowerPC Code ARM Code

X86 Translator PowerPC Translator ARM Translator

REIL Code

MonoREIL Other AnalysisAlgorithms

Close to the original architecture

Infinite amount of memory

Infinite number of registers

Register-based Virtual Machine

REIL VMArchitecture

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Instructions

1 REIL AddressNative PartREIL Part

1 REIL Mnemonic3 Operands∞ Metadata

1 REIL Operand2 (really 3) Pieces of Information3 Operand Types7 Operand Sizes∞ Operand Values

40131A.07 add (t0, b4), (t1, b4), (t2, b8), [(foo, bar)]

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Six Arithmetic Instructions

AdditionLogical ShiftUnsigned DivisionUnsigned ModuloUnsigned MultiplicationSubtraction

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Three Bitwise Instructions

Bitwise ANDBitwise ORBitwise XOR

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Three Data Transfer Instructions

Load MemoryStore MemoryTransfer Register Content

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Two Logical Instructions

Compare to ZeroJump Conditional

addandbiszbshdivjccldmmodmulnoporstmstrsubundefunknxor

Three Other Instructions

No OperationUndefine RegisterUnknown Mnemonic

All Instructions are equal ...

... but some instructions aremore equal than others

add t0, t1, t2

and t0, t1, t2

bsh t0, t1, t2

div t0, t1, t2

mod t0, t1, t2

mul t0, t1, t2

or t0, t1, t2

sub t0, t1, t2

xor t0, t1, t2

bisz t0, , t2

jcc t0, , t2

ldm t0, , t2

nop , ,

stm t0, , t2

str t0, , t2

undef , , t2

unkn , ,

What REIL can‘t do

FPU Instructions

System Instructions

Weird Instructions

fadd

...

int

...

setend

...

More Architectures (x64, MIPS, ...)

More Instructions

More Operand Information

So ...

... what is it all good for?

Register Tracking

Follow the effectsof a register

on the program state

DemoRegister Tracking

Negative Array Access

MS08-67

DemoMS08-67

... but aren‘t those really difficult to implement?

NO!

MonoREIL

Create an Instruction Graph

Define a Lattice

Define Transformations

Define a Graph Walker

Define a Start Vector

Create an Instruction Graph

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

int t4 = t0 == -15 ? 32 : 16

Define Lattice Elements

B

T

Define Transformations

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

Define a Join function

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

Define a Graph Walker

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

Define a Start Vector

node1 → initialState1

node2 → initialState2

node3 → initialState3

node4 → initialState4

node5 → initialState5

...noden → initialStaten

Running MonoREIL

1400: add t0, 15, t1

1401: bisz t1, , t2

1402: jcc t2, , 1405

1403: str 8, , t3 1405: str 16, , t3

1406: add t3, t3, t4

1407: jcc 1, , 1420

1404: jcc t2, , 1406

initialState1400 → finalState1400

initialState1401 → finalState1401

initialState1402 → finalState1402

initialState1406 → finalState1406

initialState1407 → finalState1407

initialState1405 → finalState1405

initialState1403 → finalState1403

initialState1404 → finalState1404

The Result

node1 → finalState1

node2 → finalState2

node3 → finalState3

node4 → finalState4

node5 → finalState5

...noden → finalStaten

LOC? 14 + n

Lattice

8 + n

TransformationsGraph

1

12 + n

Start VectorWalker

1 + n

Register Tracking120

Lattice

120

TransformationsGraph

1

90

Start VectorWalker

1

MS08-67

500

Lattice

1700

TransformationsGraph

1

150

Start VectorWalker

1

Deobfuscating Optimizer

Type Reconstruction

BinAudit

Related Work

ELIR (ERESI Project)

Vine (BitBlaze)

Silvio Cesare

Hex-Rays

Thank You!

Questions?